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METHOD AND APPARATUS FOR ENCRYPTED COMMUNICATIONS 

TO A SECURE SERVER 

BACKGROUND OF THE INVENTION 

5 

1. Field of the Invention 

The present invention relates generally to connnnunicatlon with a 
network, and in particular, relates to encrypted communication with a network via a 
10 secure server. 

2. Background Information 

Networks such as the Internet and World Wide Web (web) are 
15 extremely popular to users as a source of information and entertainment. The web 
is used for communication between central sites (e.g., web sites) on the Internet and 
individual users who wish to communicate with the site. Two programs typically 
control the communications: a web browser that runs on the user's computer and a 
web sen/er that runs on the web site's computer 
20 To obtain information from a web site, a web browser sends a request 

to a web server by transmitting a uniform resource locator (URL) address of the web 
site and by using a communication protocol such as Transmission Control 
Protocol/Internet Protocol (TCP/IP). In typical situations, such a request to the web 
server is in the form of a hypertext transfer protocol (HTTP) request that results in a 
25 transmission of hypertext markup language (HTML) documents (e.g., web pages) 
back to the web browser. 

1 
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Many employers provide their employees with terminals, such as 
personal computers (PCs), which the employees can use to access the Internet to 
send/receive email and to "surf the Net" According to a common configuration, 
such PCs are connected together in a company's internal network, such as a local 
5 area network (LAN), and then connected via the company's proxy server to Internet 
servers. 

The proxy server often serves as part of the company's "firewall," 
where incoming and outgoing communications can be monitored by the company's 
information systems. In operation, employees are generally forced to connect to the 

10 Internet via this firewall. In other words, all communications (usually in the form of 
packets) are passed first through the proxy server, and then out to the destination 
web site. Similarly, content requested from the Internet, such as HTML pages, are 
first sent to the proxy server, and then forwarded to the employee's terminal for 
display by a web browser. 

15 Because of this standard network architecture, individual terminals 

(e.g., users or employees) are vulnerable to the monitoring of: a) content uploaded 
by the user to a web site, such as Internet email messages that the user writes and 
sends; b) content downloaded from a web site, such as HTML pages viewed on the 
web site or Internet email messages that the user receives and reads; and c) the 

20 Internet Protocol (IP) or URL addresses of servers to which the user sends/receives 
packets. 

There are similar privacy and security issues involved with network 
architectures other than the corporate network described above. For example, users 
accessing the Internet from terminals in their homes sometimes have their packets 
25 routed through an Internet Service Provider (ISP) and/or along a system having a 
ring or loop configuration, such as a cable modem system. In such situations, 

2 
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hackers or other parties have the opportunity to monitor individual users' 
communication at the ISP or at other locations, and thus can obtain information that 
the users wish to keep confidential, such as URLs of visited web sites, IP addresses 
of servers used, content (e.g., HTML pages or email) sent/received by the user, etc. 

5 Additional mechanisms are implemented by Internet-based systems 

that further jeopardize the freedom of users to communicate privately and securely 
with the Internet. For instance, companies that control employees' Internet usage 
sometimes implement firewall blocking or filtering to prevent access to particular web 
sites. Also, visited web sites often record IP addresses of clients (e.g., users) and 

10 collect other data to help identify clients during a profiling process. Further, web 
servers typically transmit "cookies" for storage in users' terminals. Cookies are 
electronic files sent by the web server to the web browser to help identify the user 
and to prepare customized web pages when the user returns to the web site. In 
typical situations, web pages and histories of URLs accessed (e.g., a web browser 

15 history file) are stored at the user's terminals, thereby further compromising the 
privacy of the user. 

In short, there is a need to improve private and secure communications 
over networks such as the Internet. 



3 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Non-limiting and non-exhaustive embodiments of the present invention 
will be described in the following figures, wherein like reference numerals refer to 
5 like parts throughout the various views unless otherwise specified. 

Figure 1 shows a system that can implement an embodiment of the 

invention. 

Figure 2 is a flowchart showing an embodiment of a method for secure 
communication that can be implemented by the system of Figure 1 . 
10 Figure 3 shows an embodiment of a browser window that can be 

displayed using the secure communication method of Figure 2. 

Figure 4 shows a system that can implement another embodiment of 

the invention. 

Figure 5 is a flow chart showing an embodiment of a method for secure 
15 communication that can be implemented by the system of Figure 4. 
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DETAILED DESCRIPTION OF THE ILLUSTRATED EMBODIMENTS 

Embodiments of a method and apparatus for secure communication to 
a network, such as the Internet, via a secure server are described in detail herein. In 

5 the following description, numerous specific details are provided, such as a 
description of various system components in Figure 1, to provide a thorough 
understanding of embodiments of the invention. One skilled in the relevant art will 
recognize, however, that the invention can be practiced without one or more of the 
specific details, or with other methods, components, etc. In other instances, well- 

10 known structures or operations are not shown or described in detail to avoid 
obscuring aspects of various embodiments of the invention. 

Reference throughout this specification to "one embodiment" or "an 
embodiment" means that a particular feature, structure, or characteristic described in 
connection with the embodiment is included in at least one embodiment of the present 

15 invention. Thus, the appearances of the phrases "in one embodiment" or "in an 
embodiment" in various places throughout this specification are not necessarily all 
referring to the same embodiment. Furthermore, the particular features, structures, or 
characteristics may be combined in any suitable manner in one or more 
embodiments. 

20 Referring first to Figure 1, shown generally at 10 is a system that can 

implement an embodiment of the invention. The system 10 can include a network 
12, such as the Internet, but other types of communication networks may be utilized 
as well. For example, the network 12 can comprise a local area network (LAN), 
virtual local area network (VLAN), asynchronous transfer mode (ATM) network, or 

25 other network or portion of a network. 
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The system 10 includes one or nnore secure servers 14 
communicatively coupled to one or more terminals 16 via one or more secure links 
18. The server 14 can be coupled to other servers (not shown) in the network 12 
that run web server software. The servers in the network 12 can provide a plurality 

5 of web sites 17 and 19 having HTML, extensible markup language (XML), extensible 
style language (XSL), etc. web pages. Typically, the web sites 17 and 19 (or other 
components coupled to the network 12) are identifiable by a numeric IP address 
and/or by a URL address. 

The web pages of the web sites 17 and 19 can be provided to 

10 components (e.g., to servers or terminals) communicatively coupled to the network 
12 using a protocol such as TCP/IP, HTTP, FTP, or other suitable protocol. In one 
embodiment, the server 14 can securely provide web pages to the terminal 16, in a 
manner that will be described in further detail below. 

The server 14 can include one or more processor units 30 to perform 

15 the various methods, processes, and algorithms described herein, using a compiler, 
for example. The processor unit 30 can be communicatively coupled to one or more 
database units 32, in a manner such that information in the database unit 30 Is 
accessible by the processor unit 30. The server 14 can also include a storage unit 
34 to provide the server 14 with additional storage capacity for storing software and 

20 other data. The sen/er 14 may further include a communication unit 36 to provide 
communication hardware, software, protocols, and other features and functions for 
communication between the server 14 and the terminal 16 (or between the server 14 
and other components connected to the network 12). 

The storage unit 34 and database unit 30 can comprise machine- 

25 readable media. According to one embodiment, the storage unit 30 can store 
machine-readable instructions or software to perform the various functions described 
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throughout this detailed description to provide secure communication with the 
terminal 16. The database unit 30 can store information specific to particular users 
or terminals 16, cookies, electronic files, and other such data related to one or more 
communication sessions between terminals 16 and the secure server 14. 

5 The terminals 16 can comprise personal computers (PCs) to access 

the server 14. The terminals 16 each have a display unit 20 that allows users to 
view information sent to and from the server 14, using a suitable commercially 
available web browser such as Microsoft's Internet Explorer™ or Netscape's 
Navigator™. The terminal 16 can include an input/output unit 22, such as a 

10 keyboard and mouse. The terminal 16 may also include a processor 24, and a 
storage unit 26, which can be any type of machine-readable storage medium such 
as read only memory (ROM), random access memory (RAM), compact disks (CDs), 
digital versatile disks (DVDs), hard disk, magnetic tape, floppy disks, etc. The 
storage unit 26 can store the web browser, and can also include caches to store 

15 downloaded web pages and other information obtained during the course of 
communication with the network 12. 

Although the terminal 16 is described herein for illustrative purposes as 
a PC, it is to be appreciated that other types of terminals may be used. These 
include laptops, enhanced functionality wireless devices, handheld devices, 

20 television sets, workstations (e.g., dumb terminals) connected to a network, and 
other such devices that can communicate with the network 12. Accordingly, 
embodiments of the invention are not limited by the specific type of terminal used. 

The terminal 16 can be a stand-alone unit, or it may be connected to 
other terminals 16 forming part of a corporate LAN, for example. A typical corporate 

25 LAN communicates with the network 12 via a proxy server 38, operated by an 
information systems 40. In many cases, the informations systems 40 and/or the 

7 
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proxy server 38 operate a firewall system 42 to control and monitor network traffic 

sent to and from the network 12. 

According to an embodiment of the invention, communication between 

the terminal 16 and the network 12 is conducted on the secure link 18 that goes 
5 through the proxy server 38 and firewall system 42. In such an embodiment, the 

communication can pass freely through the proxy server 38 and firewall system in a 

secure and private manner, as will be described below. 

The secure link 18 can be and ISDN, T1, xDSL, SONET, Ethernet, or 

other type of high-speed link. The secure link 18 may also be a telephone modem 
10 link. Twisted-pair, coaxial cable, fiber optic, or other types of physical links/lines may 

be used. Wireless links, such as radio frequency, satellite, microwave, optical, etc. 

may be used as well. Accordingly, embodiments of the invention are not limited by 

the specific type of link used by the secure link 18. 

Although a LAN-type configuration is shown in the embodiment of 
15 Figure 1, it is understood that other embodiments of the invention may be 

implemented in other ways. For example, in one embodiment, an ISP may take the 

place of the proxy server 38, information systems 40, and firewall system 42, where 

the terminal 16 is an individual unit located in the user's home. Other configurations, 

such as loop configurations, are possible for implementing embodiments of the 
20 invention, so long as the secure link 18 can be provided between the terminal 16 

and the secure server 14. 

Shown next in Figure 2 is a flowchart 46 depicting a method for secure 

communication that can be implemented by the system 10 of Figure 1. A 

communication typically begins at a block 48, when the user launches a web 
25 browser in the terminal 16. Once the web browser is launched, the user may 

connect to the secure server 14 by entering a URL address of the secure server 14. 
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The address entered by the user may include the conventional http:// 
prefix, followed by the URL address (e.g., domain name) of the secure server 14 
(which may include the conventional "www" designation). In one embodiment, the 
user may enter the prefix https://, followed by the URL address of the secure server 
5 14, where https:// indicates a "hypertext transfer protocol secure" mode supported by 
software of the secure server 14. 

Once the user has entered the URL address of the secure server 14, 
the web browser initiates a communication with the secure server 14 (e.g., sends a 
request) at the block 50. It is noted that such a communication is typically 
10 transmitted through the firewall system 42 and proxy server 38. In response to the 
web browser request, the secure server 14 establishes the secure link 18 to the 
terminal 16. 

According to an embodiment of the invention, the secure link 18 may 
be established by the secure server 14 using secure server sockets layer (SSL) 

15 protocols and procedures, in a manner known in the art. Once the secure link 18 is 
established, data may be exchanged between the secure server 14 and the terminal 
16 in an encrypted manner using RSA (with public and private keys) or other 
suitable encryption algorithms. 

The user may establish the secure link 18 with the secure server 14 

20 simply by entering https:// in one embodiment. In another embodiment, where the 
user enters http:// plus the URL address of the secure server 14, the secure link 18 
may be established, for example, by subsequently clicking an "Enter Secure Mode" 
button on a web page provided by the secure server 14 in response to the initial web 
browser request/communication. 

25 Upon establishment of the secure link 18, a secure browser window 

may be displayed (at a block 52) on the display unit 20 of the terminal 16. An 
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example of such a secure browser window is shown at 66 in Figure 3. The secure 
browser window 66, in one embodiment, may be a new browser window launched 
on the terminal 16 by the secure server 14. In another embodiment, the secure 
browser window 66 may be a modified and secure version of the browser window 

5 which was previously launched at the block 48, and which is subsequently 
modified/secured by the secure server 14. 

The secure browser window 66 can include a conventional menu/tool 
bar 68, an address field 70 to enter URL addresses of destination web sites, and 
scrolling controls 72 and 74. Additionally, the secure browser window 66 may 

10 include an icon 76 to assist the user in visually recognizing that the secure link 18 
with the secure server 14 is active. 

A display region of the secure browser window 66 can display a 
plurality of banner advertisements 78, 80, and 82, each provided with hypertext 
link(s). In some instances, one or more of the banner advertisements 78, 80, or 82 

15 can be located in other regions of the secure browser window 66, such as next to 
the address field 70, and not just in the display region (sometimes referred to as a 
"chrome"). Specific tailoring {e.g., profiling) of these banner advertisements 78-82 
with respect to the user is described later below. The display region can also display 
content 84 from web pages of websites 17 and 19 subsequently requested by the 

20 user. The displayed content of 84 can include one or more hypertext links 86-88. 

It is noted at this point that because the secure link 18 is active, the 
proxy server 38 and/or information systems 40 cannot determine the content 
displayed by the secure browser window 66. While the proxy server 38 and/or 
information systems 40 may be able to detect that a communication is ongoing with 

25 the secure server 14 (e.g., by detecting the URL address of the secure server 14 
that generated the secure browser window 66), all other content exchanged between 

10 
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the terminal 16 and secure server 14 is unintelligible data. That is, because the data 
is encrypted and because the proxy server 38 and/or information systems 40 do not 
have decryption algorithm (e.g., the private key), data sent to and from the secure 
browser window 66 is an incoherent data stream to them. 

5 As an example at a block 54 in the flowchart 46 of Figure 2, the user 

may subsequently enter a URL address of a destination web site in the address field 
70. To send the URL address of the web site to the secure server 14 according to 
one embodiment, the web browser can first concatenate the URL address of the 
destination web site to the currently active URL address of the secure server 14 (by 

10 separating them with a forward slash T), encrypting the portion of the concatenated 
URL address that has the URL address of the destination web site, and then 
transmitting this data/request to the secure server 14. The information detected by 
the proxy server 38 and/or information systems 40, if any, may thus be just the URL 
address of the secure server 14, followed by unintelligible encrypted data. In this 

15 manner, it appears to the proxy server 38 and/or information systems 40 that all 
communication from the terminal 16 is directed to the secure server 14 and not to 
other URL or IP addresses. The proxy server 38 and/or information systems 40 
cannot determine the activity at the secure server 14 directed towards transactions 
with the destination web site. 

20 Upon receipt of the request from the user's web browser, the software 

in the secure server 14 decrypts the request to obtain the URL address of the 
destination web site. The secure server 14 then connects to the destination web site 
to obtain the appropriate web page, while perfonning additional encryption or URL 
rewriting to hide or delete the IP address of the terminal 16 that originated the 

25 request. As such, according to one embodiment, the destination web site cannot 
determine the IP address of the temiinal 16 that originally requested the web page, 

11 
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due to the fact that the IP address of the secure server 14 appears as the source 
address to the web site. Therefore, IP addresses of users and their identity are kept 
protected from visited web sites. 

When the requested web page is received from the destination web 

5 site by the secure server 14, software in the secure server 14 performs various 
manipulative processes on the web page at a block 56, For example, software of 
the server 14 can perform URL rewriting of hypertext links in the web page, such 
that URL addresses of these hypertext links are concatenated with the URL address 
of the secure server 14, separated by a forward slash 7". These modifications 

10 prevent any further contact between the terminal 16 and web sites corresponding to 
the hypertext links, except via the secure server 14, if these hypertext links are 
subsequently clicked by the user, as described later with respect to a block 60 in the 
flowchart 56. 

The software of the secure server 14 may also make modifications to 
15 the script and/or code of the web page, such as modifications to the HTML, 
JavaScript™ and Java™ code. This ensures that the user^s web browser never 
receives an instruction to contact a web site or server other than the secure server 
14. For example, with prior art methods, the user's web browser may receive a 
command to contact various other servers or web sites (e.g., third-party ad servers 
20 or web sites linked to the displayed web page via hypertext links), which results in 
the transmission of the IP address of the terminal 16 to these other servers or web 
sites. An embodiment of the invention rewrites such commands so that the user's 
web browser instead contacts the secure server 14, and asks it to retrieve the 
appropriate web page, file, etc., thereby protecting the IP address of the terminal 16 
25 from the other servers or web sites. 
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At the block 56, the software of the secure server 14 may also perform 
cookie control and management operations. For example, if users have specified 
that they do not wish to receive cookies or other electronic files, then the secure 
server 14 can block or filter cookies transmitted from the web site along with the web 

5 page. Furthermore, if the user has agreed to some or no limitation on cookie 
exchange, then the secure server 14 may control the type and quantity of cookies 
that are eventually passed to the terminal 16. Additional details of how the user can 
control cookies are described later below. 

After receiving the web page and performing the activities described 

10 above, the secure server 14 encrypts the web page and sends it to the web browser 
of the terminal 16, via the secure link 18, for display on the secure browser window 
66. According to one embodiment, all of the content of the page may be encrypted, 
such that the proxy server 38 and/or information systems 40 only detects an 
unintelligible data stream. As mentioned previously, the URL address and other 

15 identifying information of the web page, including it's hypertext links, are 
concatenated with the URL address of the secure server 14 and then encrypted, 
such that it appears that the data is originating from the secure server 14. 

The encrypted information passes through the proxy server 38 and 
firewall system 42, and is received by the terminal 16. The information is decrypted 

20 and displayed on the secure browser window 66 at a block 58. Once displayed, the 
user can view the web page and continue surfing, and in effect, the user occupies a 
"private Internet." 

If the user clicks on a hypertext link on the displayed web page at the 
block 60, then the web browser is instructed to directly contact the secure server 14 
25 for the web page, since the URL address associated with the hypertext link was 
rewritten at the block 56. The URL address of the clicked hypertext link, which is 

13 
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generally already concatenated with the URL address of the secure server 14 at this 
point, is encrypted and sent to the secure server 14 at the block 54. It is noted that if 
the URL address of the hypertext link is not concatenated already, if the user 
entered a new URL address in the address field 70, or if the user selected a URL 

5 address from a "Favorites" menu, such URL addresses are concatenated with the 
URL address of the secure server 14, encrypted, and then the entire concatenated 
address is transmitted to the secure server 14 via the secure link 18. 

If the user does not click a hypertext link at the block 60, then a 
determination is made at a block 62 whether the user is finished surfing/browsing. If 

10 the user is not finished, then the user may continue surfing at the block 58, and the 
process repeats as described above. 

If the user Is finished surfing at the block 62, then cookies, browsing 
file histories, cached web pages, and other such information are deleted from the 
storage unit 26 of the terminal 16. The deletion at the block 64 may be 

15 accomplished any number of ways. For instance, upon notification of the end of 
transmission (e.g., at sign-off or log-out), the secure server 14 can transmit 
instructions to the terminal 16 that triggers software stored in the terminal 16 to 
delete the cookies, file history, etc. In one embodiment, the user can download 
cookie deletion software from the secure server 14, and use the software to delete 

20 cookies at the end of a session. 

Deletion of cookies or cookie control can be accomplished in several 
ways. In one embodiment, the user may set preferences and transmit the 
preferences to the secure server 14. The preferences can specify what cookies can 
be allowed to be passed on to the terminal 16 by the secure server 14, while 

25 undesirable cookies are not passed on by the secure server 14. 
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In another embodiment, a digital identity can be established for the 
user and maintained at the secure server 14. Cool^ies for that user may then be 
stored in the database unit 32 under the digital identity, and cookies are never 
actually transferred to the terminal 16. 

5 It is noted that in the system 10 shown in Figure 1 and in other 

configurations, the proxy server 38 and/or information systems 40 may be able to 
detect the number and length of communications from the temninal 16 to the secure 
server 14, albeit not the content of such communications. As a result, the proxy 
server 38 and/or information systems 40 may be eventually programmed to "block" 

10 communication to and from the URL/IP address of the secure server 14. In other 
settings, it may be possible for organizations, ISPs, government bodies, etc. to 
restrict access to the secure server 14 by blocking packets having 
source/destination addresses identifiable to the secure server 14. Accordingly, an 
embodiment of a system 90 is shown in Figure 4 that provides the terminal 16 with 

15 multiple access points to the secure server 14, thereby bypassing blocking 
mechanisms. 

The system 90 includes one or more spoofing units 92 
communicatively coupleable to the terminal 16. The spoofing unit 92 can comprise a 
server, a web site, a web page, or any other network component that has a static IP 

20 or URL address. The spoofing unit 92 can include/operate software to establish a 
secure connection 94 with the tenninal 16 and a connection 96 (which can be 
secure) with the secure server 14, and can include software to pass browser 
requests from the terminal 16 to the secure server 14 via the connections 94-96. 

Such software may be distributed to operators of the spoofing unit 92 

25 by owners of the secure server 14 free of charge (e.g., for example, if the operator of 
the spoofing unit is an advocate of "privacy" or "free speech") or based on various 

15 
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business incentives (e.g., installation of the software in exchange for banner 
advertisement space on the secure browser window 66). 

Figure 5 shows a flowchart 98 depicting an embodiment of a method 
for secure communication that can be implemented by the system 90. In operation, 

5 the terminal 16 may indirectly access the secure server 14 when the user launches a 
web browser at a block 100 and enters https:// followed by the domain name (or 
URL) address of the spoofing unit 92. This results in a secure connection to the 
spoofing unit 92, at a block 102, using a suitable protocol, such as TCP/IP. The 
TCP/IP protocol can include "handshaking" processes where SYN and ACK 

10 information is exchanged between the terminal 16 and the spoofing unit 92. 
Entering the https:// prefix allows the user to enter into a secure mode by 
establishing the secure connection 94, thereby allowing the user to subsequently 
enter and transmit to the spoofing unit 92, a URL address of a destination web site 
at a block 104. 

15 In one embodiment, the user may enter the URL address of the 

destination web site after a string comprising the https:// prefix and URL address of 
the spoofing unit 92. The URL address of the destination web site is subsequently 
concatenated with the previously entered (or automatically entered) string, and the 
portion of the resulting concatenated URL address having the URL address of 

20 destination web site is encrypted, in a manner similar to that described above with 
respect to Figures 1-2. In another embodiment, the URL address of the spoofing 
unit may also be concatenated with the string and then encrypted. This way, the 
proxy server 38 and/or information systems 40 detects only the URL or IP address of 
the spoofing unit 92, if anything, and not the address of the destination web site or of 

25 the secure server 14. 
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Upon receipt of the web browser request, software in the spoofing unit 
92 recognizes the request has being destined to the secure server 14. This may be 
done by decrypting the encrypted addresses and then reading the URL address of 
the secure server 14, or by other methods to detect that the request has to be 

5 foHA^arded to the secure server 14. The spoofing unit 92 forwards the request to the 
secure server 14 via the connection 96 at a block 106. It is noted that the spoofing 
unit 92 can also fonA/ard the SYN/ACK information or other data to assist the secure 
server 14 in maintaining and synchronizing subsequent communication with the 
terminal 16. At a block 108, the secure server 14 receives the request from the 

10 spoofing unit 92 and processes the SYN/ACK information to keep track and 
synchronize the order of packets. A person skilled in the art will know how to 
implement the SYN/ACK process based on the description provided herein. 

After the secure server 14 receives the request and SYN/ACK 
information from the spoofing unit 92, it decrypts the data to obtain the URL address 

15 of the destination web site and obtains the requested web page therefrom at a block 
110. Similar to the block 56 in the flowchart 46 of Figure 2, the secure server 14 at 
the block 110 can perform URL rewriting. This may include rewriting the URL 
address of the requested web page (e.g., "spoofing" its URL address) and its 
hypertext links to indicate the spoofing unit 92 as the source. Modification of script 

20 and code (e.g. Java™ and JavaScript™) of the web page, may also be performed to 
ensure that all subsequent requests by the web browser at the terminal 16 are sent 
to the spoofing unit 92 (and from there, subsequently sent to the secure server 14). 

As with the block 56 of Figure 2, the secure server 14 may perform 
cookie control and other electronic file management at the block 110. After the 

25 processes described above are performed on the web page, the web page is 
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encrypted and directly sent for display to the terminal 16, via the secure link 18, at a 
block 112, 

Since the return IP or URL address of all packets sent from the secure 
server 14 to the terminal 16 are "spoofed" so that they appear to come from the 

5 spoofing unit 92, it is virtually impossible for the proxy server 38 and/or information 
systems 40 to determine that the packets came from the secure server 14 (and from 
addresses other then the address of the spoofing unit 92). This can prove 
particularly useful if the user is viewing web pages of a controversial or controlled 
nature. The configuration of the system 90 of Figure 4 makes it appear to the proxy 

10 server 38 and/or information system 40 that the encrypted content viewed by the 
user, whatever it may be, is originating from an innocuous web site at the spoofing 
unit 92. 

At a block 114 in Figure 5, the user may click on a hypertext link on the 
displayed web page or enter a URL address of another web site (e.g., continue to 

15 "surf'), thereby resulting in transmission of encrypted web browser requests to the 
spoofing unit 92, in a manner described above with respect to blocks 104-112. As 
before, web browser requests are sent to the spoofing unit 92 via the secure 
connection 94 (and fonA^arded to the secure server 14 via the connection 96), while 
retrieved web pages are sent directly to the terminal 16 from the secure server 14, 

20 without having to go through the spoofing unit 92. This is particularly advantageous 
because the bandwidth capacity of the spoofing unit 92 is not ovenA^helmed. That is, 
web browser requests take up significantly less bandwidth than web page content 
produced in response to such request. Hence, the spoofing unit 92 can easily 
accommodate multiple web browser requests, while the secure server 14 has the 

25 larger bandwidth to handle the content, via the secure link 1 8. 
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If the user stops surfing at the block 1 14, then at log-out, cookies, file 
histories, cached web pages, etc. are deleted at a block 116. This may be done in a 
manner similar to the block 64 of Figure 2. 

As mentioned, there may be more than one spoofing unit 92. Hence, if 

5 access to any one of the spoofing units 92 is blocked, access to the secure server 
14 may be obtained from other spoofing units. According to one embodiment, users 
may be provided with hardcopy or online URL directories of spoofing units, such that 
they can identify and connect to any of these participating units. In another 
embodiment, the secure server 14 can perform hand-off and redirection of the user's 

10 web browser to different spoofing units, such that the user's web browser can 
"dynamically" connect or reconnect to different spoofing units, as directed by the 
secure server 14. The secure server 14 may also automatically and dynamically 
provide the user's web browser with URL addresses of spoofing units (e.g., during a 
transmission of an encrypted web page), such that the user's web browser can 

15 automatically connect to such URL addresses for the next transaction(s). 

Various features and business models may be implemented by the 
embodiments described above and shown in the figures, to manage and customize 
a user's privacy. According to one embodiment, a user's privacy can be provided by 
the secure server 14 in exchange for placement of user-specific or general banner 

20 advertisements 78-82 on the secure server window 66 of Figure 3. In such a case, 
user identity, user IP addresses, and user IP addresses, and user content (e.g., 
content delivered or accessed) may be kept private in exchange for placement of 
banner advertisements. 

In another embodiment, components that are less important to users 

25 and most important to advertisers, web sites, or employers can be sold by the 
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organization operating tlie secure server 14, witli the user's permission. Tliese 
components include: 

time spent online, bandwidtli used (e.g., provided to employers); 

web surfing patterns of the user and correlations (e.g., provided to 
5 advertisers, web sites, and vendors); or 

personal preferences and interest of the user (e.g., provided to 

advertisers, web sites, and vendors). 

An example includes cookie control. Based on the preferences and 
instructions of the user, the user may control the type and quantity of cookies 

10 delivered to or filtered from the user's web browser by the secure server 14. In one 
embodiment, the user may be able to designate cookies for storage under a 
pseudonym, directly on the secure server 14, thereby adding another layer of 
privacy. Because cookies are often used to build profiles of the user (by web sites 
or advertisers), controlling cookie exchange with destination web sites allows the 

15 user to manage the amount of privacy provided by the secure server 14. 

According to one embodiment, a user may allow operators of the 
secure server 14 to collect specified data related to the web browsing habits of the 
user, and then sell such information to advertisers, in exchange for protecting the 
user's privacy at all times. In this embodiment, such information may be sold to the 

20 advertisers with the permission of the user, and includes information that the user is 
generally not sensitive about 

In conclusion then, embodiments of the invention provide a secure 
server 14. Users at terminals 16 can obtain information from web sites in the 
network 12 through the secure link 18, in encrypted form, thereby protecting their 

25 privacy and security. Such information appears as if it comes from the secure server 
14 rather than specific web sites. Spoofing units 92 may be used as alternative 



20 



Attorney Docket: 004828.P001 

access points to the secure server 14, with the secure server 14 sending requested 
information directly to the terminal 16. In general, URL rewriting and other 
manipulation can be performed such that the true source of the information is 
disguised and such that subsequent communication from the terminal 16 is directed 

5 to the secure server 14 and/or spoofing unit 92, rather than to the true source of the 
information {e.g., the web site). Components of the user's privacy may be sold as 
specified by the user, and advertisements may be displayed in exchange for 
protection of the user's identity. 

The above description of illustrated embodiments of the invention is 

10 not intended to be exhaustive or to limit the invention to the precise forms disclosed. 
While specific embodiments of, and examples for, the invention are described herein 
for illustrative purposes, various equivalent modifications are possible within the 
scope of the invention, as those skilled in the relevant art will recognize. 

These modifications can be made to the invention in light of the above 

15 detailed description. The terms used in the following claims should not be construed 
to limit the invention to the specific embodiments disclosed in the specification and 
the claims. Rather, the scope of the invention is to be determined entirely by the 
following claims, which are to be constmed in accordance with established doctrines 
of claim interpretation. 
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CLAIMS 

What is claimed is: 

1 1 . A metliod, comprising: 

2 responsive to a request, retrieving a web page designated in the request; 

3 modifying an address associated with the retrieved web page to indicate an 

4 address associated with a secure server that retrieved the web page; and 

5 encrypting data associated with the retrieved web page and sending, via a 

6 secure link, the encrypted data to a terminal that sent the request. 

1 2. The method of claim 1 wherein the secure link comprises a secure sockets 

2 layer (SSL) link. 

1 3. The method of claim 1 wherein modifying the address associated with the 

2 retrieved web page comprises modifying a Uniform Resource Locator (URL) or 

3 Internet Protocol (IP) address of a source web site that originated the web page. 

1 4. The method of claim 1 wherein modifying the address associated with the 

2 retrieved web page comprises modifying an address associated with a hypertext link 

3 in the retrieved web page to indicate the address associated with the secure server. 

1 5. The method of claim 1, further comprising modifying computer code 

2 associated with the retrieved web page to cause subsequent requests related to the 

3 retrieved web page to be sent to the secure server instead of to a source web site 

4 that originated the web page. 
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1 6. The method of claim 1, further comprising decrypting the address associated 

2 with the web page from an address received along with the request from the 

3 terminal, the address received along with the request from the terminal comprising a 

4 concatenation of the address associated with the web page and the address 

5 associated with the secure server. 

1 7. The method of claim 1 , further comprising repeating the retrieving, modifying, 

2 encrypting, and sending while the secure link is active. 

1 8. The method of claim 1, further comprising triggering a deletion of stored 

2 electronic files at the terminal related to a communication via the secure link, in 

3 response to termination of the communication. 

1 9. The method of claim 1, further comprising, at the secure server, controlling 

2 transmission of electronic files to the terminal based on preferences received from 

3 the terminal. 



1 1 0, The method of claim 1 , further comprising: 

2 providing an intermediate unit to receive the request from the terminal; 

3 at the secure server, receiving the request, forwarded from the intermediate 

4 unit; 

5 retrieving the web page designated in the request from a source; 

6 modifying address information in the retrieved web page to indicate a source 

7 address corresponding to an address of the intermediate unit rather than to an 

8 address of the source that provided the web page; and 
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9 directly sending an encrypted version of tiie retrieved web page from the 

10 secure sever to the terminal, via the secure link. 

1 11. The method of claim 10, further comprising receiving, at the secure server, 

2 communication protocol information related to a communication between the 

3 temninal and the intermediate unit, to allow the secure server to respond to requests 

4 sent to the intermediate unit from the tenninal. 

1 12. The method of claim 10, further comprising receiving subsequent requests 

2 from the terminal at the intermediate unit rather than directly at the secure server 

3 from the terminal. 

1 13. The method of claim 1, further comprising storing under a pseudonym at a 

2 location communicatively coupled to the secure server, electronic files sent from a 

3 web site along with the web page. 



1 1 4. The method of claim 1 , further comprising: 

2 obtaining information related to a user's communication with the secure 

3 server; 

4 providing the obtained information to an entity based on permission of the 

5 user and in exchange for providing the secure link; and 

6 providing advertisements from the entity to the user related to the obtained 

7 information. 

1 1 5. The method of claim 1 , further comprising: 

2 providing a viewing window at the terminal; 
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3 displaying the retrieved web page at tlie viewing window; and 

4 providing an interface for subsequent communication with the secure server 

5 from the viewing window. 

1 16. A method, comprising: 

2 providing an intermediate unit to receive a request for a web page from a 

3 terminal; 

4 at a secure server, receiving the request, fon/varded from the intermediate 

5 unit; 

6 retrieving the web page designated in the request from a source; 

7 modifying address information in the retrieved web page to indicate a source 

8 address corresponding to an address associated with the intermediate unit rather 

9 than to an address associated with a source that provided the web page; and 

10 directly sending an encrypted version of the retrieved web page from the 

11 secure server to the terminal, via a secure link, 

1 17. The method of claim 16, further comprising receiving, at the secure server, 

2 communication protocol information related to a communication between the 

3 terminal and the intermediate unit, to allow the secure server to respond to requests 

4 sent to the intermediate unit from the terminal. 

1 18. The method of claim 16 further comprising receiving subsequent requests 

2 from the terminal at the intermediate unit rather than directly at the secure server 

3 from the terminal. 

1 19. The method of claim 16, further comprising: 
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2 receiving from the intermediate unit and at the secure server, encrypted 

3 address information associated with the web page, concatenated with the address 

4 associated with the intermediate unit; 

5 decrypting the encrypted address information and retrieving a web page 

6 corresponding thereto; and 

7 re-encrypting the address associated with the retrieved web page and 



8 concatenating the re-encrypted address with the address associated with the 

9 intermediate unit. 



1 20. A machine-readable medium having stored thereon instructions, which when 

2 executed by a processor, cause the processor to effect the following: 



3 responsive to a request, retrieve a web page designated in the request; 

4 modify an address associated with the retrieved web page to indicate an 

5 address associated with a secure server that retrieved the web page; and 

6 encrypt data associated with the retrieved web page and send, via a secure 



7 link, the encrypted data to a terminal that sent the request. 

1 21 . The machine-readable medium of claim 20 wherein the instructions cause the 

2 processor to effect the following: 

3 send the encrypted data via the secure link by sending the encrypted data via 

4 a secure dockets layer (SSL) link. 

1 22. The machine-readable medium of claim 20 wherein the instructions cause the 

2 processor to effect the following; 
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3 modify the address associated with the retrieved web page by modifying a 

4 Uniform Resource Locator (URL) or Internet Protocol (IP) address of a source web 

5 site that originated the web page. 

1 23. The machine-readable medium of claim 20 wherein the instructions cause the 

2 processor to effect the following: 

3 receive the request from the terminal fon^/arded from an intermediate unit; 

4 retrieve the web page designated in the request from a source; 

5 modify address information in the retrieved web page to indicate a source 

6 address corresponding to an address associated with the intermediate unit rather 

7 than to an address associated with the source that provided the web page; and 

8 directly send an encrypted version of the retrieved web page from the secure 



9 server to the terminal, via the source link. 

1 24. A machine-readable medium having stored thereon instructions, which when 

2 executed by a processor cause the processor to effect the following: 

3 receive a request for a web page from a terminal; and 

4 forward the request from the terminal to a secure server to allow the secure 

5 server to retrieve the web page designated in the request from a source and to allow 

6 the secure server to directly send an encrypted version of the retrieved web page 

7 from the secure server to the terminal, via a secure link. 

1 25. The machine-readable medium of claim 24 wherein the instructions further 

2 cause the processor to effect the following: 
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3 send to the secure server communication protocol information related to a 

4 communication with the terminal, to allow the secure server to respond to requests 

5 sent from the terminal. 

1 26. The machine-readable medium of claim 24 wherein the instructions further 

2 cause the processor to effect the following: 

3 receive subsequent requests from directly the terminal rather than directly at 

4 the secure server. 

1 27. The machine-readable medium of claim 24 wherein the instructions further 

2 cause the processor to effect the following: 

3 receive an encrypted address concatenated with other address information 

4 via a secure connection; 

5 decrypt the encrypted address and retrieve an address associated with the 

6 secure server or the address associated with the web page therefrom; and 

7 send the request to the decrypted address. 

1 28. An apparatus, comprising: 

2 a processor coupled to a storage unit, the storage unit being capable of 

3 storing a computer program; and 

4 a communication unit to allow the processor to communicate with a terminal 

5 and with a web site, wherein responsive to a request from the terminal, the 

6 processor is capable of effecting execution of the computer program to retrieve a 

7 requested web page from the web site via the communication unit, to modify an 

8 address of the retrieved web page to a different address, to encrypt data associated 
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9 with the retrieved web page, and to send the encrypted data to the terminal via a 

10 secure link communicatively coupleable to the communication unit. 

1 29. The apparatus of claim 28 wherein the secure link comprises a secure 

2 sockets layer (SSL) link. 

1 30. The apparatus of claim 28, further comprising a database unit 

2 communicatively coupled to the processor to store electronic files under a 

3 pseudonym, the electronic files corresponding to data sent from the web site along 

4 with the retrieved web page. 

1 

1 31. An apparatus, comprising: 

2 a server communicatively coupleable to a network and to a terminal, the 

3 server being capable of sending data from the network to the terminal in an 

4 encrypted form via a secure link, in response to a request received from the 

5 terminal, wherein the data sent to the terminal indicates the server as a source of the 

6 data. 
1 

1 32. The apparatus of claim 31 wherein the secure link comprises a secure 

2 sockets layer (SSL) link. 

1 

1 33. The apparatus of claim 31 wherein the server is communicatively coupleable 

2 to an intermediate unit, the server being capable of receiving the request from the 

3 tenninal via the intermediate unit and sending the data responsive to the request 

4 directly to the terminal via the secure link. 
1 
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1 34. A system, comprising: 

2 a server communicatively coupleable to a network and to a terminal, the 

3 server being capable of sending data from the network to the terminal in an 

4 encrypted form via a secure link, in response to a request received from the 

5 terminal, wherein the data sent to the terminal indicates the server as a source of the 

6 data; and 

7 an intemnedlate unit communicatively coupleable to the server, the server 

8 being capable of receiving the request from the terminal via the intermediate unit 

9 and sending the data responsive to the request directly to the terminal via the secure 

10 link. 
1 

1 35. The system of claim 34 wherein the secure link comprises a secure sockets 

2 layer (SSL) link. 

1 

1 36. The system of claim 34 wherein the intermediate unit is capable of receiving 

2 subsequent requests from the temilnal and sending the request to the server, the 

3 server being capable of receiving the requests from the intermediate unit and 

4 sending data responsive to the request directly to the terminal, the data sent to the 

5 terminal indicating a source address corresponding to the intermediate unit rather 

6 than an address con-esponding to the server. 
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METHOD AND APPARATUS FOR ENCRYPTED COMMUNICATIONS 

TO A SECURE SERVER 

5 ABSTRACT OF THE DISCLOSURE 

An embodiment of the invention includes a secure server. A user at a 
terminal, communicatively coupled to the secure server by a secure link, can obtain 

10 web pages from web sites in a network, in encrypted form, via the secure link. 
Addresses associated with the web pages are altered to make it appear as if the 
web pages come from the secure server rather than from the web sites. Spoofing 
units may be used as alternative access points to the secure server, with the secure 
server sending the requested web pages directly to the terminal. In general, 

15 address rewriting and other manipulation can be performed on the requested web 
pages, such that the true sources of the web pages are disguised and such that 
subsequent communications from the terminal are directed to the secure server 
and/or spoofing unit, rather than to the true source of the web pages. Components 
of the user's privacy may be sold, or advertisements may be provided, in exchange 

20 for protection of the user's identity. 

/004828/P001/FuguNet-P001 -AP/v2 
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(City, State) (Country) 



Post Office Address 12 Crestdale Dr. 



Danbun/. CT 06811-5243 



Full Name of Third/Joint Inventor 




Inventor's Signature 3" / ^^lOQt 

Residence P4U>/^^7t) ^ CA Citizenship ^ 



(City, State) (Country) 
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Post Office Address 



Full Name of Fourth/Joint Inventor . 



Inventor's Signature Date . 

Residence Citizenship . 



(City, State) (Country) 
Post Office Address 

Full Name of Fifth/Joint Inventor 



Inventor's Signature Date . 

Residence Citizenship . 



(City, State) (Country) 
Post Office Address 

Full Name of Sixth/Joint Inventor 



Inventor's Signature Date . 

Residence Citizenship . 



(City, State) (Country) 
Post Office Address 



Full Name of Seventh/Joint Inventor. 



Inventor's Signature Date . 



Residence Citizenship . 



(City, State) (Country) 
Post Office Address 
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APPENDIX A 



William E Alford, Reg. No. 37,764; Farzad E. Amini, Reg. No. P42,261 ; Aloysius T. C. AuYeung, Reg. No. 
35,432; William Thomas Babbitt, Reg. No. 39,591; Carol F. Barry, Reg. No. 41 ,600; Jordan Michael 
Becker Reg. No. 39,602; Bradley J. Bereznak, Reg. No. 33,474; Michael A. Bernadicou Reg. No. 35,934; 
Roger W. Blakely, Jr., Reg. No. 25,831; Gregory D. Caldwell, Reg. No. 39,926; Ronald C. Card, Reg No. 
44,587; Andrew C. Chen, Reg. No. 43,544; Thomas M. Coester Reg. No. 39.637; Alin Cone Reg No. 
P46,244; Dennis M. de Guzman, Reg. No. 41,702; Stephen M. De Klerk under 37 C.F R § 10.9(b); 
Michael Anthony DeSanctis, Reg. No. 39,957; Daniel M. De Vos, Reg. No. 37,813; Robert Andrew Diehl, 
Req No. 40,992; Sanjeet Dutta, Reg. No. P46,145; Matthew C. Fagan, Reg. No. 37,542; Tarek N. Fahmi, 
Reg No. 41 ,402; Paramita Ghosh. Reg. No. 42,806; James Y. Go, Reg. No. 40,621 ; James A Henry, 
Reg No. 41,064; Willmore F. Holbrow III, Reg. No. P41,845; Sheryl Sue Holloway, Reg. No. 37 850; 
George W Hoover II, Reg. No. 32,992; Eric S. Hyman, Reg. No. 30,139; William VV. Kidd, Reg. No 
31 772; Sang Hui Kim, Reg. No. 40,450; Eric T. King, Reg. No. 44,188; Erica W. Kuo Reg. No 42,775; 
Kurt P Leyendecker, Reg. No. 42,799; Michael J. Mallie, Reg. No. 36,591 ; Andre L. Marais, under 37 
C F r"s 10 9(b); Paul A. Mendonsa, Reg. No. 42,879; Darren J. Milliken, Reg. 42,004; Lisa A Norns, 
Reg. No. 44,976; Chun M. Ng, Reg. No. 36,878; Thien T. Nguyen, Reg. No. 43,835; Thjnh V Nguyen, 
Req No 42 034; Dennis A. Nicholls, Reg. No. 42,036; Daniel E. Ovanezian, Reg. No. 41,236; Marina 
Portnova, Reg. No. P45,750; Babak Redjaian, Reg. No. 42,096; William F. Ryann, Reg. 44 313; James 
H. Salter, Reg. No. 35,668; William W. Schaal, Reg. No. 39,018; James C. f cheller Reg. No 31,195; 
Jeffrey Sam Smith, Reg. No. 39.377; Maria McCormack Sobrino, Reg. No. 31 ,639; Stanley W Sokoloff, 
Reg. No. 25.128; Judith A. Szepesi, Reg. No. 39.393; Vincent P. Tassinari. Reg. No. 42 179; Edwin H. 
Taylor Reg. No. 25,129; John F. Travis, Reg. No. 43,203; George G. C. Tseng, Reg. No. 41 ,355; Joseph 
A Twarowski, Reg. No. 42,191; Lester J. Vincent, Reg. No. 31,460; Glenn E. Von Tersch, Reg. No 
41 364; John Patrick Ward, Reg. No. 40,216; Mark L. Watson, Reg. No. P46,322; Thomas C. Webster 
Req. No. P46,154; Charles T. J. Weigell, Reg. No. 43,398; Kirk D. Williams, Reg. No. 42,229; James M. 
Wu, Reg. No. 45,241; Steven D. Yates, Reg. No. 42,242; and Norman Zafman Reg. No. 26^50; my 
patent attorneys, and Justin M. Dillon, Reg. No. 42,486; my patent agent, of BLAKELY SOKOLOFF, 
TAYLOR & ZAFMAN LLP, with offices located at 12400 Wilshire Boulevard, 7th Floor, Los Angeles, 
California 90025, telephone (310) 207-3800, and James R. Thein, Reg. No. 31 ,710, my patent attorney. 
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APPENDIX B 



Title 37, Code of Federal Regulations, Section 1.56 
Dut y to Disclose Information Materi al tn Patentability 

(a) A patent by its very nature is affected with a public interest. The public interest is best served, 
and the most effective patent examination occurs when, at the time an application is being examined the 
Office is aware of and evaluates the teachings of all information material to patentability. Each individual 
associated with the filing and prosecution of a patent application has a duty of candor and Qooaj^ith^ 
dealing with the Office, which includes a duty to disclose to the Office all information known to that individual 
to be material to patentability as defined in this section. The duty to disclosure information exists with respect 
to each pending claim until the claim is cancelled or withdrawn from consideration, or the application becomes 
abandoned. Information material to the patentability of a claim that is cancelled or withdrawn from 
consideration need not be submitted if the information is not material to the patentability of any claim 
remaining under consideration In the application. There is no duty to submit information which is not matenal 
to the patentability of any existing claim. The duty to disclosure all information known to be material to 
patentability is deemed to be satisfied If all information known to be material to patentability of any claim 
issued in a patent was cited by the Office or submitted to the Office in the manner prescnbed by §§1 .y7(b)-(a) 
and 1 98 However, no patent will be granted on an application in connection with which fraud on the Ottice 
was practiced or attempted or the duty of disclosure was violated through bad faith or intentional misconduct. 
The Office encourages applicants to carefully examine: 

(1 ) Prior art cited in search reports of a foreign patent office in a counterpart application, and 

(2) The closest information over which individuals associated with the filing or prosecution of a 
patent application believe any pending claim patentably defines, to make sure that any matenal information 
contained therein is disclosed to the Office. 

(b) Under this section, infonnation is material to patentability when it is not cumulative to 
information already of record or being made or record in the application, and 

(1) It establishes, by itself or in combination with other information, a prima facie case of 
unpatentability of a claim; or 

(2) It refutes, or is inconsistent with, a position the applicant takes in: 

(i) Opposing an argument of unpatentability relied on by the Office, or 

(11) Asserting an argument of patentability. 

A Drima facie case of unpatentability is established when the information compels a conclusion that a claim is 
unpatentable under the preponderance of evidence, burden-of-proof standard, giving each term in the claim 
its broadest reasonable construction consistent with the specification, and before any consideration is given to 
evidence which may be submitted in an attempt to establish a contrary conclusion of patentability. 

(c) Individuals associated with the filing or prosecution of a patent application within the 
meaning of this section are: 

(1) Each inventor named in the application; 

(2) Each attorney or agent who prepares or prosecutes the application; and 

(3) Every other person who is substantively involved in the preparation or prosecution of the 
application and who is associated with the inventor, with the assignee or with anyone to whom there is an 
obligation to assign the application. 

(d) Individuals other than the attorney, agent or inventor may comply with this section by 
disclosing information to the attorney, agent, or inventor. 
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